It’s been a busy year for the WordPress security team. Since the beginning of the year, there has been five security releases. And now team has just released a latest version of WordPress 4.2.4. Which is a security release for all previous versions and strongly recommended to update your sites immediately.
Apparently, WordPress 4.2.3 and its earlier version are affected by six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site.
It also includes a patch for a potential timing side-channel attack and prevents an attacker from locking a post from being edited.
In addition to the above security fixes, WordPress 4.2.4 contains fixes 4 other bugs from 4.2.3. You can find more information at the Release Notes.
WPDB: When checking the encoding of strings against the database, make sure we’re only relying on the return value of strings that were sent to the database. #32279
Don’t blindly trust the output of glob() to be an array. #33093
Shortcodes: Handle do_shortcode(‘<[shortcode]’) edge cases. #33116
Shortcodes: Protect newlines inside of CDATA. #33106
If you own a self-hosted or pre-installed WordPress websites then you should must check your sites to make sure they’re on WordPress 4.2.4. If your site hasn’t automatically updated yet, you should perform a full backup of site content and database and manually update.
Also don’t forget to share your views in the comments!